Pages

Friday, March 11, 2005

Is Your IPod Spying on You?

Eric Sinrod has a completely nonsensical column in yesterday’s USA Today about how MP3 players are going to be the next big risk to personal privacy. His entire column is based on a piece Dr. Larry Ponemon of the “Ponemon Institute” (that ain’t the Pokemon Institute, it’s a “privacy think-tank”—that’s rich) wrote back in February for Darwin magazine about the privacy risks of MP3 players. His evidence? One anecdotal piece of evidence about a ten-year-old girl who got a “shiny MP3 player” for Christmas (they don’t say what kind it was); the girl, who only goes by the name “Olivia,” started downloading hundreds of songs, only to be deluged a few weeks later with targeted ads for rock concerts, CDs, and “pop clothing star sales.” Her “computer-savvy” mom called the manufacturer to complain about how her daughter’s MP3 player had violated her privacy, only to be told that it was impossible for the device to do that.

Sounds like Olivia probably got hit with some spyware after downloading some not-so-legal music, right? Not according to Sinrod, who claims that ”[MP3] players can collect personal information and track user musical preferences,” and that “the process for collecting end-users’ sensitive personal information, such as music and artist preferences, vary by manufacturer and technology.” Really? Too bad he doesn’t give an example of a single player that does this.

Instead he says that there are three points at which manufacturers are collecting your private info: when you buy, set up, or register your warranty for the player (duh, you give them that info, it’s called opting-in), when you download music from the Internet (if you’re buying music then they usually have your credit card info, and if you’re getting it over P2P you should be smart enough to know that you’re almost certainly not anonymous—either way, unless you’re buying from Apple, the manufacturer is almost never the content vendor), and when you’re sharing or uploading music to other devices (huh?).

We’d maybe be convinced if he provided some evidence that jukebox software apps like iTunes and MusicMatch were collecting information about what music people have in their collections and then secretly sending it back to the mothership, but he doesn’t even bring this up as a possibility, let alone present any evidence that it’s happening.

He then really muddles things by mentioning how some MP3 players now have Bluetooth, which means that someone could wirelessly grab you personal info. First off, hardly any MP3 players come with built-in Bluetooth, and even the ones that do typically only support the hands-free and headset profiles—and that’s even assuming there was any personally identifying information on the thing except maybe those potentially embarrassing MP3s (Kelly Clarkson, eh?).

But it gets worse still. He then mentions that “some MP3 players are now equipped with additional peripherals such as digital cameras. The wireless capability of these devices make digital images equally insecure.” What? Wireless capability? Insecure digital images? Name one MP3 player with a built-in digital camera that ALSO has wireless capability, either integrated or as an add-in.

He then also throws out some BS statistics (also courtesy of the Ponemon Institute) about how most people say they would stop using their MP3 player if they had become the victim of a privacy breach and that manufacturers should make sure there are limitations on the sharing of personal information. Yeah, who wouldn’t say that?

The advice he then gives on how you can prevent your MP3 player from being the source of a privacy violation are either obvious or befuddling. He says you should read your EULA carefully and understand the manufacturer’s privacy policy, but then he goes on to recommend that you figure out how to “opt-out of data collection or transfer by turning off polling features within the device itself” and to make sure to keep that Bluetooth-enabled MP3 player you almost definitely don’t own or use out of “hot zones,” which could be “almost anywhere, including in proximity to someone else’s mobile phone.” Yeah, really helpful advice there!

Sinrod then concludes with the only part of the column that actually does make sense: that “MP3 users, as a population segment, do not seem too worried about privacy risks,” and that “perhaps this is because there have not been many privacy breaches in terms of the use of these devices — yet.” Or at all. It’s one thing to talk about how software apps or online stores are collecting personal data, but it’s completely weak to try and get people scared about the prospect of their iPod divulging sensitive data, especially when there has never been an instance of this happening. Look, we know that before and especially after the Paris Hilton thing it’s been pretty fashionable to write scare pieces about how our gadgets are going to give us away, but this is drivel, plain and simple.

Well, the story is mostly hype. But, you gotta be careful divulging your personal information.